2009-05-19 02:32:17 +08:00
|
|
|
/*
|
2021-12-05 23:35:27 +08:00
|
|
|
* SPDX-FileCopyrightText: 1991 - 1994, Julianne Frances Haugh
|
|
|
|
* SPDX-FileCopyrightText: 1996 - 2000, Marek Michałkiewicz
|
|
|
|
* SPDX-FileCopyrightText: 2000 - 2006, Tomasz Kłoczko
|
|
|
|
* SPDX-FileCopyrightText: 2007 - 2009, Nicolas François
|
2009-05-19 02:32:17 +08:00
|
|
|
*
|
2021-12-05 23:35:27 +08:00
|
|
|
* SPDX-License-Identifier: BSD-3-Clause
|
2009-05-19 02:32:17 +08:00
|
|
|
*/
|
|
|
|
|
|
|
|
#include <config.h>
|
|
|
|
|
|
|
|
#ident "$Id: $"
|
|
|
|
|
|
|
|
#include <assert.h>
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <sys/types.h>
|
|
|
|
#include <dirent.h>
|
2013-01-22 17:17:50 +08:00
|
|
|
#include <fcntl.h>
|
2020-01-20 20:58:07 +08:00
|
|
|
#include <unistd.h>
|
2009-05-19 02:32:17 +08:00
|
|
|
#include "defines.h"
|
|
|
|
#include "prototypes.h"
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 20:54:22 +08:00
|
|
|
#ifdef ENABLE_SUBIDS
|
2013-01-22 17:17:50 +08:00
|
|
|
#include "subordinateio.h"
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 20:54:22 +08:00
|
|
|
#endif /* ENABLE_SUBIDS */
|
2021-11-29 07:37:53 +08:00
|
|
|
#include "shadowlog.h"
|
2009-05-19 02:32:17 +08:00
|
|
|
|
|
|
|
#ifdef __linux__
|
2013-01-22 17:17:50 +08:00
|
|
|
static int check_status (const char *name, const char *sname, uid_t uid);
|
2011-02-17 04:32:16 +08:00
|
|
|
static int user_busy_processes (const char *name, uid_t uid);
|
2009-05-19 02:32:17 +08:00
|
|
|
#else /* !__linux__ */
|
|
|
|
static int user_busy_utmp (const char *name);
|
|
|
|
#endif /* !__linux__ */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* user_busy - check if an user if currently running processes
|
|
|
|
*/
|
|
|
|
int user_busy (const char *name, uid_t uid)
|
|
|
|
{
|
|
|
|
/* There are no standard ways to get the list of processes.
|
|
|
|
* An option could be to run an external tool (ps).
|
|
|
|
*/
|
|
|
|
#ifdef __linux__
|
|
|
|
/* On Linux, directly parse /proc */
|
2011-02-17 04:32:16 +08:00
|
|
|
return user_busy_processes (name, uid);
|
2009-05-19 02:32:17 +08:00
|
|
|
#else /* !__linux__ */
|
|
|
|
/* If we cannot rely on /proc, check is there is a record in utmp
|
|
|
|
* indicating that the user is still logged in */
|
|
|
|
return user_busy_utmp (name);
|
|
|
|
#endif /* !__linux__ */
|
|
|
|
}
|
|
|
|
|
|
|
|
#ifndef __linux__
|
|
|
|
static int user_busy_utmp (const char *name)
|
|
|
|
{
|
|
|
|
struct utmp *utent;
|
|
|
|
|
|
|
|
setutent ();
|
|
|
|
while ((utent = getutent ()) != NULL)
|
|
|
|
{
|
|
|
|
if (utent->ut_type != USER_PROCESS) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
if (strncmp (utent->ut_user, name, sizeof utent->ut_user) != 0) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
if (kill (utent->ut_pid, 0) != 0) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2021-11-29 07:37:53 +08:00
|
|
|
fprintf (log_get_logfd(),
|
2011-02-17 04:32:16 +08:00
|
|
|
_("%s: user %s is currently logged in\n"),
|
2021-11-29 07:37:53 +08:00
|
|
|
log_get_progname(), name);
|
2009-05-19 06:46:13 +08:00
|
|
|
return 1;
|
2009-05-19 02:32:17 +08:00
|
|
|
}
|
2009-05-19 06:46:13 +08:00
|
|
|
|
|
|
|
return 0;
|
2009-05-19 02:32:17 +08:00
|
|
|
}
|
|
|
|
#endif /* !__linux__ */
|
|
|
|
|
|
|
|
#ifdef __linux__
|
2020-01-20 20:58:07 +08:00
|
|
|
#ifdef ENABLE_SUBIDS
|
|
|
|
#define in_parentuid_range(uid) ((uid) >= parentuid && (uid) < parentuid + range)
|
|
|
|
static int different_namespace (const char *sname)
|
|
|
|
{
|
|
|
|
/* 41: /proc/xxxxxxxxxx/task/xxxxxxxxxx/ns/user + \0 */
|
|
|
|
char path[41];
|
|
|
|
char buf[512], buf2[512];
|
|
|
|
ssize_t llen1, llen2;
|
|
|
|
|
|
|
|
snprintf (path, 41, "/proc/%s/ns/user", sname);
|
|
|
|
|
|
|
|
if ((llen1 = readlink (path, buf, sizeof(buf))) == -1)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if ((llen2 = readlink ("/proc/self/ns/user", buf2, sizeof(buf2))) == -1)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (llen1 == llen2 && memcmp (buf, buf2, llen1) == 0)
|
|
|
|
return 0; /* same namespace */
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
#endif /* ENABLE_SUBIDS */
|
|
|
|
|
|
|
|
|
2013-01-22 17:17:50 +08:00
|
|
|
static int check_status (const char *name, const char *sname, uid_t uid)
|
2009-05-19 02:32:17 +08:00
|
|
|
{
|
|
|
|
/* 40: /proc/xxxxxxxxxx/task/xxxxxxxxxx/status + \0 */
|
|
|
|
char status[40];
|
|
|
|
char line[1024];
|
|
|
|
FILE *sfile;
|
|
|
|
|
|
|
|
snprintf (status, 40, "/proc/%s/status", sname);
|
|
|
|
|
|
|
|
sfile = fopen (status, "r");
|
|
|
|
if (NULL == sfile) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
while (fgets (line, sizeof (line), sfile) == line) {
|
|
|
|
if (strncmp (line, "Uid:\t", 5) == 0) {
|
|
|
|
unsigned long ruid, euid, suid;
|
2020-01-20 20:58:07 +08:00
|
|
|
|
2009-05-19 02:32:17 +08:00
|
|
|
assert (uid == (unsigned long) uid);
|
2020-01-20 20:58:07 +08:00
|
|
|
(void) fclose (sfile);
|
2009-05-19 02:32:17 +08:00
|
|
|
if (sscanf (line,
|
|
|
|
"Uid:\t%lu\t%lu\t%lu\n",
|
|
|
|
&ruid, &euid, &suid) == 3) {
|
|
|
|
if ( (ruid == (unsigned long) uid)
|
|
|
|
|| (euid == (unsigned long) uid)
|
2020-01-20 20:58:07 +08:00
|
|
|
|| (suid == (unsigned long) uid) ) {
|
|
|
|
return 1;
|
|
|
|
}
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 20:54:22 +08:00
|
|
|
#ifdef ENABLE_SUBIDS
|
2020-01-20 20:58:07 +08:00
|
|
|
if ( different_namespace (sname)
|
|
|
|
&& ( have_sub_uids(name, ruid, 1)
|
|
|
|
|| have_sub_uids(name, euid, 1)
|
|
|
|
|| have_sub_uids(name, suid, 1))
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 20:54:22 +08:00
|
|
|
) {
|
2009-05-19 02:32:17 +08:00
|
|
|
return 1;
|
|
|
|
}
|
2020-01-20 20:58:07 +08:00
|
|
|
#endif /* ENABLE_SUBIDS */
|
2009-05-19 02:32:17 +08:00
|
|
|
} else {
|
|
|
|
/* Ignore errors. This is just a best effort. */
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
(void) fclose (sfile);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-02-17 04:32:16 +08:00
|
|
|
static int user_busy_processes (const char *name, uid_t uid)
|
2009-05-19 02:32:17 +08:00
|
|
|
{
|
|
|
|
DIR *proc;
|
|
|
|
struct dirent *ent;
|
|
|
|
char *tmp_d_name;
|
|
|
|
pid_t pid;
|
|
|
|
DIR *task_dir;
|
|
|
|
/* 22: /proc/xxxxxxxxxx/task + \0 */
|
|
|
|
char task_path[22];
|
|
|
|
char root_path[22];
|
|
|
|
struct stat sbroot;
|
|
|
|
struct stat sbroot_process;
|
|
|
|
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 20:54:22 +08:00
|
|
|
#ifdef ENABLE_SUBIDS
|
2013-01-22 17:17:50 +08:00
|
|
|
sub_uid_open (O_RDONLY);
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 20:54:22 +08:00
|
|
|
#endif /* ENABLE_SUBIDS */
|
2013-01-22 17:17:50 +08:00
|
|
|
|
2009-05-19 02:32:17 +08:00
|
|
|
proc = opendir ("/proc");
|
|
|
|
if (proc == NULL) {
|
|
|
|
perror ("opendir /proc");
|
2017-03-24 06:07:46 +08:00
|
|
|
#ifdef ENABLE_SUBIDS
|
|
|
|
sub_uid_close();
|
|
|
|
#endif
|
2009-05-19 02:32:17 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
if (stat ("/", &sbroot) != 0) {
|
|
|
|
perror ("stat (\"/\")");
|
|
|
|
(void) closedir (proc);
|
2015-11-18 00:52:24 +08:00
|
|
|
#ifdef ENABLE_SUBIDS
|
|
|
|
sub_uid_close();
|
|
|
|
#endif
|
2009-05-19 02:32:17 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
while ((ent = readdir (proc)) != NULL) {
|
|
|
|
tmp_d_name = ent->d_name;
|
|
|
|
/*
|
|
|
|
* Ingo Molnar's patch introducing NPTL for 2.4 hides
|
|
|
|
* threads in the /proc directory by prepending a period.
|
|
|
|
* This patch is applied by default in some RedHat
|
|
|
|
* kernels.
|
|
|
|
*/
|
|
|
|
if ( (strcmp (tmp_d_name, ".") == 0)
|
|
|
|
|| (strcmp (tmp_d_name, "..") == 0)) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
if (*tmp_d_name == '.') {
|
|
|
|
tmp_d_name++;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Check if this is a valid PID */
|
|
|
|
if (get_pid (tmp_d_name, &pid) == 0) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Check if the process is in our chroot */
|
|
|
|
snprintf (root_path, 22, "/proc/%lu/root", (unsigned long) pid);
|
|
|
|
root_path[21] = '\0';
|
|
|
|
if (stat (root_path, &sbroot_process) != 0) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
if ( (sbroot.st_dev != sbroot_process.st_dev)
|
|
|
|
|| (sbroot.st_ino != sbroot_process.st_ino)) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2013-01-22 17:17:50 +08:00
|
|
|
if (check_status (name, tmp_d_name, uid) != 0) {
|
2009-05-19 02:32:17 +08:00
|
|
|
(void) closedir (proc);
|
2015-11-18 00:52:24 +08:00
|
|
|
#ifdef ENABLE_SUBIDS
|
|
|
|
sub_uid_close();
|
|
|
|
#endif
|
2021-11-29 07:37:53 +08:00
|
|
|
fprintf (log_get_logfd(),
|
2011-02-17 04:32:16 +08:00
|
|
|
_("%s: user %s is currently used by process %d\n"),
|
2021-11-29 07:37:53 +08:00
|
|
|
log_get_progname(), name, pid);
|
2009-05-19 02:32:17 +08:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
snprintf (task_path, 22, "/proc/%lu/task", (unsigned long) pid);
|
|
|
|
task_path[21] = '\0';
|
|
|
|
task_dir = opendir (task_path);
|
|
|
|
if (task_dir != NULL) {
|
|
|
|
while ((ent = readdir (task_dir)) != NULL) {
|
|
|
|
pid_t tid;
|
|
|
|
if (get_pid (ent->d_name, &tid) == 0) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
if (tid == pid) {
|
|
|
|
continue;
|
|
|
|
}
|
2013-01-22 17:17:50 +08:00
|
|
|
if (check_status (name, task_path+6, uid) != 0) {
|
2009-05-19 02:32:17 +08:00
|
|
|
(void) closedir (proc);
|
Fix covscan RESOURCE_LEAK
Error: RESOURCE_LEAK (CWE-772): [#def1]
shadow-4.8.1/lib/commonio.c:320: alloc_fn: Storage is returned from allocation function "fopen_set_perms".
shadow-4.8.1/lib/commonio.c:320: var_assign: Assigning: "bkfp" = storage returned from "fopen_set_perms(backup, "w", &sb)".
shadow-4.8.1/lib/commonio.c:329: noescape: Resource "bkfp" is not freed or pointed-to in "putc".
shadow-4.8.1/lib/commonio.c:334: noescape: Resource "bkfp" is not freed or pointed-to in "fflush".
shadow-4.8.1/lib/commonio.c:339: noescape: Resource "bkfp" is not freed or pointed-to in "fileno".
shadow-4.8.1/lib/commonio.c:342: leaked_storage: Variable "bkfp" going out of scope leaks the storage it points to.
340| || (fclose (bkfp) != 0)) {
341| /* FIXME: unlink the backup file? */
342|-> return -1;
343| }
344|
Error: RESOURCE_LEAK (CWE-772): [#def2]
shadow-4.8.1/libmisc/addgrps.c:69: alloc_fn: Storage is returned from allocation function "malloc".
shadow-4.8.1/libmisc/addgrps.c:69: var_assign: Assigning: "grouplist" = storage returned from "malloc(i * 4UL)".
shadow-4.8.1/libmisc/addgrps.c:73: noescape: Resource "grouplist" is not freed or pointed-to in "getgroups". [Note: The source code implementation of the function has been overridden by a builtin model.]
shadow-4.8.1/libmisc/addgrps.c:126: leaked_storage: Variable "grouplist" going out of scope leaks the storage it points to.
124| }
125|
126|-> return 0;
127| }
128| #else /* HAVE_SETGROUPS && !USE_PAM */
Error: RESOURCE_LEAK (CWE-772): [#def3]
shadow-4.8.1/libmisc/chowntty.c:62: alloc_fn: Storage is returned from allocation function "getgr_nam_gid".
shadow-4.8.1/libmisc/chowntty.c:62: var_assign: Assigning: "grent" = storage returned from "getgr_nam_gid(getdef_str("TTYGROUP"))".
shadow-4.8.1/libmisc/chowntty.c:98: leaked_storage: Variable "grent" going out of scope leaks the storage it points to.
96| */
97| #endif
98|-> }
99|
Error: RESOURCE_LEAK (CWE-772): [#def4]
shadow-4.8.1/libmisc/copydir.c:742: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
shadow-4.8.1/libmisc/copydir.c:742: var_assign: Assigning: "ifd" = handle returned from "open(src, 0)".
shadow-4.8.1/libmisc/copydir.c:748: leaked_handle: Handle variable "ifd" going out of scope leaks the handle.
746| #ifdef WITH_SELINUX
747| if (set_selinux_file_context (dst, NULL) != 0) {
748|-> return -1;
749| }
750| #endif /* WITH_SELINUX */
Error: RESOURCE_LEAK (CWE-772): [#def5]
shadow-4.8.1/libmisc/copydir.c:751: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
shadow-4.8.1/libmisc/copydir.c:751: var_assign: Assigning: "ofd" = handle returned from "open(dst, 577, statp->st_mode & 0xfffU)".
shadow-4.8.1/libmisc/copydir.c:752: noescape: Resource "ofd" is not freed or pointed-to in "fchown_if_needed".
shadow-4.8.1/libmisc/copydir.c:775: leaked_handle: Handle variable "ofd" going out of scope leaks the handle.
773| ) {
774| (void) close (ifd);
775|-> return -1;
776| }
777|
Error: RESOURCE_LEAK (CWE-772): [#def7]
shadow-4.8.1/libmisc/idmapping.c:188: alloc_fn: Storage is returned from allocation function "xmalloc".
shadow-4.8.1/libmisc/idmapping.c:188: var_assign: Assigning: "buf" = storage returned from "xmalloc(bufsize)".
shadow-4.8.1/libmisc/idmapping.c:188: var_assign: Assigning: "pos" = "buf".
shadow-4.8.1/libmisc/idmapping.c:213: noescape: Resource "buf" is not freed or pointed-to in "write".
shadow-4.8.1/libmisc/idmapping.c:219: leaked_storage: Variable "pos" going out of scope leaks the storage it points to.
shadow-4.8.1/libmisc/idmapping.c:219: leaked_storage: Variable "buf" going out of scope leaks the storage it points to.
217| }
218| close(fd);
219|-> }
Error: RESOURCE_LEAK (CWE-772): [#def8]
shadow-4.8.1/libmisc/list.c:211: alloc_fn: Storage is returned from allocation function "xstrdup".
shadow-4.8.1/libmisc/list.c:211: var_assign: Assigning: "members" = storage returned from "xstrdup(comma)".
shadow-4.8.1/libmisc/list.c:217: var_assign: Assigning: "cp" = "members".
shadow-4.8.1/libmisc/list.c:218: noescape: Resource "cp" is not freed or pointed-to in "strchr".
shadow-4.8.1/libmisc/list.c:244: leaked_storage: Variable "cp" going out of scope leaks the storage it points to.
shadow-4.8.1/libmisc/list.c:244: leaked_storage: Variable "members" going out of scope leaks the storage it points to.
242| if ('\0' == *members) {
243| *array = (char *) 0;
244|-> return array;
245| }
246|
Error: RESOURCE_LEAK (CWE-772): [#def11]
shadow-4.8.1/libmisc/myname.c:61: alloc_fn: Storage is returned from allocation function "xgetpwnam".
shadow-4.8.1/libmisc/myname.c:61: var_assign: Assigning: "pw" = storage returned from "xgetpwnam(cp)".
shadow-4.8.1/libmisc/myname.c:67: leaked_storage: Variable "pw" going out of scope leaks the storage it points to.
65| }
66|
67|-> return xgetpwuid (ruid);
68| }
69|
Error: RESOURCE_LEAK (CWE-772): [#def12]
shadow-4.8.1/libmisc/user_busy.c:260: alloc_fn: Storage is returned from allocation function "opendir".
shadow-4.8.1/libmisc/user_busy.c:260: var_assign: Assigning: "task_dir" = storage returned from "opendir(task_path)".
shadow-4.8.1/libmisc/user_busy.c:262: noescape: Resource "task_dir" is not freed or pointed-to in "readdir".
shadow-4.8.1/libmisc/user_busy.c:278: leaked_storage: Variable "task_dir" going out of scope leaks the storage it points to.
276| _("%s: user %s is currently used by process %d\n"),
277| Prog, name, pid);
278|-> return 1;
279| }
280| }
Error: RESOURCE_LEAK (CWE-772): [#def20]
shadow-4.8.1/src/newgrp.c:162: alloc_fn: Storage is returned from allocation function "xgetspnam".
shadow-4.8.1/src/newgrp.c:162: var_assign: Assigning: "spwd" = storage returned from "xgetspnam(pwd->pw_name)".
shadow-4.8.1/src/newgrp.c:234: leaked_storage: Variable "spwd" going out of scope leaks the storage it points to.
232| }
233|
234|-> return;
235|
236| failure:
Error: RESOURCE_LEAK (CWE-772): [#def21]
shadow-4.8.1/src/passwd.c:530: alloc_fn: Storage is returned from allocation function "xstrdup".
shadow-4.8.1/src/passwd.c:530: var_assign: Assigning: "cp" = storage returned from "xstrdup(crypt_passwd)".
shadow-4.8.1/src/passwd.c:551: noescape: Resource "cp" is not freed or pointed-to in "strlen".
shadow-4.8.1/src/passwd.c:554: noescape: Resource "cp" is not freed or pointed-to in "strcat". [Note: The source code implementation of the function has been overridden by a builtin model.]
shadow-4.8.1/src/passwd.c:555: overwrite_var: Overwriting "cp" in "cp = newpw" leaks the storage that "cp" points to.
553| strcpy (newpw, "!");
554| strcat (newpw, cp);
555|-> cp = newpw;
556| }
557| return cp;
2021-06-14 18:39:48 +08:00
|
|
|
(void) closedir (task_dir);
|
2015-11-18 00:52:24 +08:00
|
|
|
#ifdef ENABLE_SUBIDS
|
|
|
|
sub_uid_close();
|
|
|
|
#endif
|
2021-11-29 07:37:53 +08:00
|
|
|
fprintf (log_get_logfd(),
|
2011-02-17 04:32:16 +08:00
|
|
|
_("%s: user %s is currently used by process %d\n"),
|
2021-11-29 07:37:53 +08:00
|
|
|
log_get_progname(), name, pid);
|
2009-05-19 02:32:17 +08:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
(void) closedir (task_dir);
|
|
|
|
} else {
|
|
|
|
/* Ignore errors. This is just a best effort */
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
(void) closedir (proc);
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 20:54:22 +08:00
|
|
|
#ifdef ENABLE_SUBIDS
|
2013-01-22 17:17:50 +08:00
|
|
|
sub_uid_close();
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 20:54:22 +08:00
|
|
|
#endif /* ENABLE_SUBIDS */
|
2009-05-19 02:32:17 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
#endif /* __linux__ */
|
|
|
|
|